Bug 1986408 - Add NE-310 HSTS to 4.9
Summary: Add NE-310 HSTS to 4.9
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.9
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.9.0
Assignee: Candace Holman
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-27 13:26 UTC by Candace Holman
Modified: 2022-08-04 22:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:41:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-apiserver pull 224 0 None open Bug 1986408: NE-310 HSTS Route Admission Plugin 2021-07-27 14:03:12 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:42:00 UTC

Comment 3 Arvind iyengar 2021-08-06 04:31:48 UTC
Verified in "4.9.0-0.nightly-2021-08-03-135217" release version. In this release it is observed that the HSTS header validation gets enforced as expected when defined in the cluster ingresses resource:
-----
oc get clusterversion                     
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-08-03-135217   True        False         22h     Cluster version is 4.9.0-0.nightly-2021-08-03-135217

Adding the "requiredHSTSPoicies" option to ingresses resource globally:

  domain: apps.aiyengar49bz.qe.devcluster.openshift.com
  requiredHSTSPolicies:
  - domainPatterns:
    - '*.internalapps.aiyengar49bz.qe.devcluster.openshift.com'
    includeSubDomainsPolicy: RequireIncludeSubDomains
    maxAge:
      largestMaxAge: 30000 <---
      smallestMaxAge: 1
    preloadPolicy: RequirePreload

Modify the header for the secure route:

oc annotate route reen-route  haproxy.router.openshift.io/hsts_header='max-age=25000;includeSubDomains;preload' --overwrite
route.route.openshift.io/reen-route annotated

curl -Ik https://reen-route-test1.internalapps.aiyengar49bz.qe.devcluster.openshift.com      
HTTP/1.1 200 OK
server: nginx/1.18.0
date: Thu, 05 Aug 2021 11:23:07 GMT
content-type: text/html
content-length: 51
last-modified: Thu, 05 Aug 2021 06:22:14 GMT
etag: "610b8396-33"
accept-ranges: bytes
strict-transport-security: max-age=30000;includeSubDomains;preload

oc annotate route reen-route  haproxy.router.openshift.io/hsts_header='max-age=30001;includeSubDomains;preload' --overwrite
Error from server (Forbidden): routes.route.openshift.io "reen-route" is forbidden: is greater than maximum age (30000)

-----

Comment 6 errata-xmlrpc 2021-10-18 17:41:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.